From 90282ada5c323b8224fd8c17cb1ab3f355346183 Mon Sep 17 00:00:00 2001 From: des Date: Tue, 4 Nov 2014 23:33:46 +0000 Subject: [PATCH] [SA-14:25] Fix kernel stack disclosure in setlogin(2) / getlogin(2). [SA-14:26] Fix remote command execution in ftp(1). [EN-14:12] Fix NFSv4 and ZFS cache consistency issue. Approved by: so (des) git-svn-id: svn://svn.freebsd.org/base/releng/9.3@274114 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- UPDATING | 11 ++++++ contrib/tnftp/src/fetch.c | 36 +++++++++++-------- .../opensolaris/uts/common/fs/zfs/zfs_vnops.c | 1 + sys/conf/newvers.sh | 2 +- sys/kern/kern_prot.c | 31 ++++++++-------- 5 files changed, 51 insertions(+), 30 deletions(-) diff --git a/UPDATING b/UPDATING index a3fa9a25c..92d55bfba 100644 --- a/UPDATING +++ b/UPDATING @@ -11,6 +11,17 @@ handbook: Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20141104: p5 FreeBSD-SA-14:25.setlogin + FreeBSD-SA-14:26.ftp + FreeBSD-EN-14:12.zfs + + Fix kernel stack disclosure in setlogin(2) / getlogin(2). + [SA-14:25] + + Fix remote command execution in ftp(1). [SA-14:26] + + Fix NFSv4 and ZFS cache consistency issue. [EN-14:12] + 20141022: p4 FreeBSD-EN-14:10.tzdata FreeBSD-EN-14:11.crypt diff --git a/contrib/tnftp/src/fetch.c b/contrib/tnftp/src/fetch.c index 91b49fd24..72153a546 100644 --- a/contrib/tnftp/src/fetch.c +++ b/contrib/tnftp/src/fetch.c @@ -547,7 +547,7 @@ fetch_url(const char *url, const char *proxyenv, char *proxyauth, char *wwwauth) url_decode(decodedpath); if (outfile) - savefile = ftp_strdup(outfile); + savefile = outfile; else { cp = strrchr(decodedpath, '/'); /* find savefile */ if (cp != NULL) @@ -571,8 +571,7 @@ fetch_url(const char *url, const char *proxyenv, char *proxyauth, char *wwwauth) rangestart = rangeend = entitylen = -1; mtime = -1; if (restartautofetch) { - if (strcmp(savefile, "-") != 0 && *savefile != '|' && - stat(savefile, &sb) == 0) + if (stat(savefile, &sb) == 0) restart_point = sb.st_size; } if (urltype == FILE_URL_T) { /* file:// URLs */ @@ -1098,17 +1097,25 @@ fetch_url(const char *url, const char *proxyenv, char *proxyauth, char *wwwauth) } /* end of ftp:// or http:// specific setup */ /* Open the output file. */ - if (strcmp(savefile, "-") == 0) { - fout = stdout; - } else if (*savefile == '|') { - oldintp = xsignal(SIGPIPE, SIG_IGN); - fout = popen(savefile + 1, "w"); - if (fout == NULL) { - warn("Can't execute `%s'", savefile + 1); - goto cleanup_fetch_url; + + /* + * Only trust filenames with special meaning if they came from + * the command line + */ + if (outfile == savefile) { + if (strcmp(savefile, "-") == 0) { + fout = stdout; + } else if (*savefile == '|') { + oldintp = xsignal(SIGPIPE, SIG_IGN); + fout = popen(savefile + 1, "w"); + if (fout == NULL) { + warn("Can't execute `%s'", savefile + 1); + goto cleanup_fetch_url; + } + closefunc = pclose; } - closefunc = pclose; - } else { + } + if (fout == NULL) { if ((rangeend != -1 && rangeend <= restart_point) || (rangestart == -1 && filesize != -1 && filesize <= restart_point)) { /* already done */ @@ -1318,7 +1325,8 @@ fetch_url(const char *url, const char *proxyenv, char *proxyauth, char *wwwauth) (*closefunc)(fout); if (res0) freeaddrinfo(res0); - FREEPTR(savefile); + if (savefile != outfile) + FREEPTR(savefile); FREEPTR(uuser); if (pass != NULL) memset(pass, 0, strlen(pass)); diff --git a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c index ec16bf231..6837cb547 100644 --- a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c +++ b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c @@ -2812,6 +2812,7 @@ zfs_getattr(vnode_t *vp, vattr_t *vap, int flags, cred_t *cr, #endif vap->va_seq = zp->z_seq; vap->va_flags = 0; /* FreeBSD: Reset chflags(2) flags. */ + vap->va_filerev = zp->z_seq; /* * Add in any requested optional attributes and the create time. diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index e9e4f814d..6e1db903a 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.3" -BRANCH="RELEASE-p4" +BRANCH="RELEASE-p5" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 997da07f0..c658755bc 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -2073,21 +2073,20 @@ struct getlogin_args { int sys_getlogin(struct thread *td, struct getlogin_args *uap) { - int error; char login[MAXLOGNAME]; struct proc *p = td->td_proc; + size_t len; if (uap->namelen > MAXLOGNAME) uap->namelen = MAXLOGNAME; PROC_LOCK(p); SESS_LOCK(p->p_session); - bcopy(p->p_session->s_login, login, uap->namelen); + len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1; SESS_UNLOCK(p->p_session); PROC_UNLOCK(p); - if (strlen(login) + 1 > uap->namelen) + if (len > uap->namelen) return (ERANGE); - error = copyout(login, uap->namebuf, uap->namelen); - return (error); + return (copyout(login, uap->namebuf, len)); } /* @@ -2106,21 +2105,23 @@ sys_setlogin(struct thread *td, struct setlogin_args *uap) int error; char logintmp[MAXLOGNAME]; + CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp)); + error = priv_check(td, PRIV_PROC_SETLOGIN); if (error) return (error); error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); - if (error == ENAMETOOLONG) - error = EINVAL; - else if (!error) { - PROC_LOCK(p); - SESS_LOCK(p->p_session); - (void) memcpy(p->p_session->s_login, logintmp, - sizeof(logintmp)); - SESS_UNLOCK(p->p_session); - PROC_UNLOCK(p); + if (error != 0) { + if (error == ENAMETOOLONG) + error = EINVAL; + return (error); } - return (error); + PROC_LOCK(p); + SESS_LOCK(p->p_session); + strcpy(p->p_session->s_login, logintmp); + SESS_UNLOCK(p->p_session); + PROC_UNLOCK(p); + return (0); } void -- 2.42.0